Get James Bond in here: 13 million account passwords plundered from 000webhost

If he had a copy of the database, why did he also need 000webhost to give him the same info to fill his database? Something smells fishy with this large database of compromised users from around the world. How much would a hacker make if they broke in to HaveIBeenPwned?

Have an account with them so not surprised to see my username pop up on the pwned website. So they reset all passwords with 'still' zero communication to their users about the breach.

They have this notice on the log-in page for members: "Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later."

Bastards.

"We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

Translation: we bolted the stable door.

Ummmm........

.......a free website hosted in Cyprus (or at least owned there) and the users expect security?

But it was free!!!!

Ah, PR disaster handling

Cyprus-headquartered 000webhost admitted: "A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

"We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

What they actually said is that they made their website ages ago and never updated it, so they were thoroughly pwned. Now, they are pretending to do something to cover the issue.

The investigation is simple : an old PHP exploit should not be allowed to exist on an ISP's website. An ISP should be well aware of best practices and apply them rigorously.

A message from CEO Arnas Stuopelis about 000webhost data breach.

We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

Contact:

Arnas Stuopelis

CEO, Hostinger

press@hostinger.com